Stabilized quantum-enhanced SIEM architecture and speed-up through Hoeffding tree algorithms enable quantum cybersecurity analytics in botnet detection

For the first time, we enable the execution of hybrid quantum machine learning (HQML) methods on real quantum computers with 100 data samples and real-device-based simulations with 5000 data samples, thereby outperforming the current state of research of Suryotrisongko and Musashi from 2022 who were dealing with 1000 data samples and quantum simulators (pure software-based emulators) only. Additionally, we beat their reported accuracy of 76.8% by an average accuracy of 91.2%, all within a total execution time of 1687 s. We achieve this significant progress through two-step strategy: Firstly, we establish a stable quantum architecture that enables us to execute HQML algorithms on real quantum devices. Secondly, we introduce new hybrid quantum binary classifiers (HQBCs) based on Hoeffding decision tree algorithms. These algorithms speed up the process via batch-wise execution, reducing the number of shots required on real quantum devices compared to conventional loop-based optimizers. Their incremental nature serves the purpose of online large-scale data streaming for domain generation algorithm (DGA) botnet detection, and allows us to apply HQML to the field of cybersecurity analytics. We conduct our experiments using the Qiskit library with the Aer quantum simulator, and on three different real quantum devices from Azure Quantum: IonQ, Rigetti, and Quantinuum. This is the first time these tools are combined in this manner.

of a quantum system is yet to be fully coined.This is a goal of our present work.In this paper, we introduce Quantum Cybersecurity Analytics (QCA) as a field that employs quantum technology, particularly quantum machine learning, to devise cybersecurity solutions.
We address the challenges and computational demands inherent to quantum machine learning algorithms through the creation of a stable architecture and the adaptation of the Hoeffding tree algorithm for incremental learning 11 .The current state of the art defined in Ref. 12 shows the classification with a hybrid approach of 1000 data samples on a quantum simulator from a botnet dataset with an accuracy of 76.8%, whereas the total execution time is not reported.In their study, no signs of any real-device-based simulations or even computations on real quantum devices is shown.We outperform these achievements in the following ways: 1. We have extended the maximum sample size from 1000 to 5000 data samples in a quantum machine learning method, using real-device-based simulation through the quantum-enhanced Hoeffding Tree Classifier (QHTC) algorithm.Our method achieves an average accuracy of 91.2% and a final-round accuracy of 100%, all within a total computation time of 1687 s, which is on par with the total execution time observed in locally deployed quantum simulations.2. Furthermore, and for the first time, we implemented various HQBCs on actual quantum devices.We managed to process a maximum of 100 randomly fixed data samples, achieving a top accuracy of 59.0%.
In addition, our work makes the following additional contributions: 1. We overcome the pitfalls due to the instabilities of long-running code on three different Azure Quantum Providers by code hardening.2. We apply the batch-wise Hoeffding Tree algorithm instead of the usual loop-wise algorithms relying on gradient descent.3. We compare a diverse set of binary classifiers on real devices, on real-device-based simulations as well as quantum simulators.All experiments are conducted consistently using the IEEE Botnet DGA dataset.4. Quantum Cybersecurity Analytics is made possible.
The source code implementation is publicly available on GitHub 13 .

Methods
This section emphasizes the experimental decisions made in this research.The first subsection covers the selection of quantum devices, real-device-based simulators, and quantum simulators utilized for conducting the experiments.The second subsection provides an explanation for the selection of the IEEE Botnet DGA Dataset, justifying its suitability for the analysis conducted in this research.

Selected platforms
For this research, we opted to use a combination of real quantum devices, real-device-based simulators, and quantum simulators (pure software-based emulators) to reproduce the results reported in the study by Suryotrisongko et al. 14 , which focused exclusively on quantum simulators.Additionally, our experiments were conducted on three Azure Quantum Providers to expand the research scope beyond the utilization of IBM Quantum 14 .The real quantum devices we selected for our experiments were IonQ, Rigetti, and Quantinuum.To perform quantum simulations, we relied on the Qiskit SDK, utilizing Aer for simulations and real-device-based simulations.
The quantum computing configurations used in our experiments are presented in Table 1.The first column introduces a naming convention for referencing the platforms, facilitating better comprehension of the experimental results presented.Platforms functioning as real quantum devices are denoted by their respective names followed by the letter R. Platforms that combine real quantum devices with simulations, thereby serving as realdevice-based simulators, are denoted by their names followed by the letter S.
Table 1.Naming conventions for selected platforms shown with their machine name and their device mode (quantum simulator, real-device-based simulator, or real quantum device).

Reasons for instability
The current versions of Qiskit ML classifiers (qiskit-0.41.1 and qiskit-machine-learning-0.  We discovered that the stability of computing and network elements within the architecture is the primary limitation of cloud-based quantum computer delivery.However, none of our experiments on real quantum devices could last longer than three weeks.We were unable to establish a stable Transport Layer Security (TLS) connection and authentication for a 1000 random fixed data sample, leading us to select a reduced sample size of 100 random fixed data points for real quantum devices.The next subsection will present an architecture design that addresses points (1)-( 5) in List 1 of instability reasons, followed by a subsection that will discuss necessary algorithmic changes to tackle point (6) in List 1.It is important to note that our experiments running on quantum simulators did not exhibit any instability.

Stabilized architecture
Our enhanced architecture design addresses the instability reasons (1)-( 5) in List 1.The original architecture that led to instabilities consisted of an Azure real quantum device and an Azure component that involves an Azure Job Management, a storage account and an authentification component.The updated architectures introduce additional components to solve the instability issues mentioned in List 1. Experiments except QHTC are build on the architecture displayed in Fig. 1 and QHTC experiments apply the architecture in Fig. 2. Table 3 shows a series of steps that were executed to amend the instabilities.
The architecture for experiments except QHTC includes a preceding step in a Google Cloud instance, where a Jupyter and Google Colab Notebook can be deployed on dedicated virtual machines to enable longer runtimes beyond the 24-h limit.The additional Jupyter Notebook facilitates the implementation of Qiskit code changes for exception handling specific to the algorithm and real quantum device.The Google Colab Pro+ Notebook provides stable runs for more than 1000 random fixed data samples.Additionally, a monitoring instance of a Google Cloud Platform (GCP) virtual machine with diverse logging capabilities aids in identifying, tracking, and resolving errors, including authentication and session failures.www.nature.com/scientificreports/HQML opens the door to a new generation of Security Information and Event Management (SIEM) systems known as quantum-enhanced SIEM (QSIEM).To illustrate the functioning of QSIEM, we present the first use case: defending against DGA botnet attacks for Distributed Denial of Service (DDoS) at the application layer using QSIEM.The integration of HQML with a robust SIEM like Azure Sentinel becomes highly beneficial at OSI-layer 7 (application layer), where HTTP and DNS traffic occur.This integration enables the detection of malicious domain names generated by DGA-Botnets for command-and-control servers, which are crucial for coordinating DDoS attacks.By identifying and blocking traffic associated with these domains, botnets can be prevented from receiving commands or initiating attack traffic.
Our stabilized architecture aligns with the concept of a QSIEM solution.The steps in Fig. 3 are explained in List 2. Steps (2)-( 9) are specific to training the HQML algorithm, while the productive algorithm utilizes telemetry input data to generate a classification using Quantum SIEM and Azure Sentinel, which is then displayed on the dashboard.

List 2: Steps in the solution architecture
(1) Gather and preprocess the telemetry data required for the algorithm described in the next subsection.
(2) Perform classic feature engineering as described in "Methods" section.
(3) Deploy the algorithm for production use on Azure Quantum service.( 4)- (7) Execute the entire circuit to and from the real quantum devices using the classical loop.

Quantum-enhanced Hoeffding tree classifier (QHTC)
This subsection first describes the historical development of our scientific advances in the direction of the solution, followed by an explanation of the QHTC.A realistic QCA solution, i.e., the QSIEM in the previous subsection, needs to be able to process online big data streaming.Hence, we sought an incremental approach to be applied to already known HQBCs.The most promising algorithmic candidate to reduce execution time and improve accuracy when executed on real-devicebased simulators was the PegasosQSVC, in our opinion.Due to its stochastic gradient descent (SGD) optimizer, the PegasosQSVC performs fewer calculations by iterations and results in better generalization properties of the trained model than conventional gradient descent 19 .Instead of making the PegasosQSVC truly incremental, we applied a batch-wise strategy as an intermediate step between algorithms that need to process the entire training or test data samples at once and incremental algorithms.
The performance of PegasosQSVC with respect to accuracy development over time is displayed in Fig. 4 for batch sizes of 1000 as well as 100 random fixed data samples on the quantum simulator Aer.The PegasosQSVC shows good behavior in terms of accuracy increase with the number of batches if a batch size of 1000 data samples per batch is applied.But the real quantum devices are not able to handle 1000 data samples, but only 100 data samples per batch, as the results in Table 4 will show.In contrast, a batch size of 100 samples will not exhibit the appropriate increase in accuracy on real-device-based simulators or real quantum devices.Smaller batch sizes in the range of 100 data samples require a higher number (one magnitude) of circuits to be sent to the real quantum device, which will extend the execution time to an inappropriate level.This is the dilemma of limited data volumes in the Noisy Intermediate-Scale Quantum (NISQ) era.
Therefore, we decided to transition to a truly incremental algorithm and apply it batch-wise to reduce the number of shots sent to the real quantum device.The accuracy of a truly incremental algorithm will not suffer in this way.This was the breakthrough in terms of the algorithm's accuracy and execution time on real-devicebased simulators.
We found the algorithmic solution in a quantum-modified version of an incremental decision tree approach called the Hoeffding tree algorithm 20 .It is a generation algorithm for incremental decision trees that applies the Hoeffding bound 21,22 .The standard non-incremental version of the decision tree takes all data samples per leaf at once to compute a decision criterion per leaf.In contrast, the incremental version of a decision tree can process one data sample after another.The main advantage of this generation algorithm is that it guarantees, under realistic assumptions, the generation of an asymptotically arbitrarily similar incremental version of a decision tree compared to the same non-incremental version of the decision tree.Simultaneously, it maintains efficient computation speed.Additionally, the Hoeffding bound is independent of the probability distribution of the data samples.However, this implies the disadvantage that the Hoeffding bound, compared to distribution-dependent bounds, requires more data samples to reach the same level of similarity between the incremental version and non-incremental version of the decision tree.
We introduce the abbreviation HTC (Hoeffding tree classifier) for the original Hoeffding tree.Our quantummodified version is called the quantum-enhanced Hoeffding Tree Classifier (QHTC), as presented in algorithm 3 and described below.QHTC is a batch-wise learning procedure that applies HTC with modified input data.We apply the HTC in an equivalent version following the HTC implementation of Ref. 23 that is shown in Algorithms 1 and 2. The first step of QHTC is the mapping of the classical features of the input data to the quantum feature space using ZFeatureMap, although other mappings are also possible.Each feature column entry in the feature row represents a data point in quantum space (qubit) on the Bloch sphere and we want to measure the length of the cycle connecting all qubits per feature row.The reason is that the distance between two qubits represents a measure of how distinguishable they are.This cycle length is referred to as a ' quantum walk' in the code.
The measurement of the cycle length relies on measuring the distance between two qubits on the Bloch sphere.For that, each qubit is converted via wave functions to its density matrix.These density matrices are listed in the   same order as the classical feature columns and the trace distance of two density matrices is applied to measure the distance between two qubits that are neighbors on the cycle.The cycle length is determined by the order of data points in quantum space and, hence, by the order of the classical features given in the original data set.The determination of a distance metric that allows reordering of feature columns is left for future research.The initialization of HTC is performed accordingly.The batch-wise computation of an incremental decision tree reduces the number of shots sent to the real quantum device drastically compared to usual loop-based optimizers, while not compromising its accuracy.This provides a solution to the instability reason (6a) mentioned in List 1.It allows us to deal with the realistic behavior of today's real quantum devices that are prone to instability due to the noise problem inherent in today's NISQ devices.The execution times and the accuracy benefit accordingly, as the results in the next section show in more detail.
www.nature.com/scientificreports/Algorithm 2. TreeNode (as part of Algorithm 1).Table 6.Metric results in terms of accuracy, F1-score and AUC for algorithm QHTC, displayed for five batches with 1000 data samples each and their average.On real-device-based simulators of quantum devices, it is the first time that a HQML algorithm run stable with 5000 data samples.All experiments reported by Ref. 12 are conducted with the VQC algorithm and on the platform Aer.Among them, we show the one with the optimizer COBLYA, because we applied the same here, and with an optimizer (RawFeatureVector) that resulted in the maximal accuracy.Both experiments applied the variational form RealAmplitudes as we did in this study, where applicable.The PegasosQSVC on Aer exceeds the experimental results of Ref. 12 in accuracy (90%) and in addition, it yields very good execution time (45 s).However, the QHTC algorithm outperforms all other binary classifiers in terms of accuracy, achieving perfect accuracy of 100% already after three out of five batches.The accuracy is discussed in more detail in the next subsection.Furthermore, QHTC exhibits significantly reduced total execution time (1687 s) of two orders of magnitude compared to other algorithms on real-devise-based simulators.QHTC make the cost of the second batch of 1000 data samples manageable.In contrast, other algorithms struggle to achieve the second batch.These algorithms would still require much longer calculation time if all conditions remain stable.
The experiments conducted on real-device-based simulators and real quantum devices are considered as a first step, and further improvements and specific implementations for each algorithm on different devices can be explored in future research.Overall, these results demonstrate that it is possible to construct superior algorithms for cloud-based NISQ deployments on real-device-based simulator Rigetti, achieving comparable execution times to quantum simulators while exceeding in terms of accuracy.

Performance metrics of QHTC
We show the results of our QHTC (see algorithm 3) which is configured to run with five batches containing 1000 random fixed data samples each.We apply the feature map ZFeatureMap provided by Qiskit.Table 6 demonstrates achievements in terms of accuracy improvement.The increase in accuracy with the number of batches meets our expectations.We obtained an average accuracy of 91.2% and a final-round accuracy of 100% for QHTC already after three out of five batches.We used the same features and the same dataset as Ref. 12 to be able to compare our results with theirs.These features are the same features that are available in the entire dataset itself.This may be the reason for such high accuracy.In future research, we can further improve the metric computation to avoid over-fitting and to make it more realistic by applying a PCA analysis as well as using a k-fold cross-validation per batch, with k = 10 for example.In addition, the features EntropyValue and RelativeEntropy possess strong predictor properties for the entire dataset.Hence, the same issue will probably not happen to other datasets that don't possess very strong predictor features.

Conclusion and future work
Cybersecurity Analytics involves the collection of data to gather evidence, construct timelines, and analyze threats, thereby enabling the design and execution of a proactive cybersecurity strategy that detects, analyzes, and mitigates cyber threats.The next-generation Quantum Cybersecurity Analytics utilizes HQML to monitor network activity, promptly identify resource use or network traffic changes, and address threats.This advancement paves the way for a new generation of SIEM systems called quantum-enhanced SIEM (QSIEM).To illustrate how QSIEM operates, we presented the first use case of defending against DGA botnet attacks for DDoS at the application layer using quantum-enhanced SIEM.
As cybersecurity is built upon the analysis of amounts of big data, today's NISQ era poses an obstacle for QSIEM for cybersecurity due to its inherent instabilities that enlarge with repeated and prolonged computations.This study found a way to overcome parts of the problem by proposing a new form of HQBCs that lead to significant improvements in the result's accuracy as well as the algorithm's execution times with real-device-based simulations compared to previous algorithms.The breakthrough was the application of a quantum-enhanced version of the incremental Hoeffding tree algorithm in a batch-wise version in order to take account of large amounts of incoming online stream data in addition to responding to the need for a reduced number of shots to the real quantum device.In addition to the improved accuracy, the experimental run times in real-device-based simulations were reduced drastically by three orders of magnitude to be in the same order as with the previous algorithms on the quantum simulator Aer that is deployed locally.
In general, the world of quantum simulators is much more beautiful than the world of computations on real quantum devices.This study showed for the first time that HQML algorithms were able to run stably with 100 random fixed data samples for several weeks on Azure Quantum Providers Rigetti, Quantinuum, and IonQ together with the library Qiskit.It is the first time these tools were combined.We achieved this by code hardening throughout the entire data flow process from the Jupyter Notebook to the real quantum devices, including all communications and algorithm-specific implementations of APIs per real quantum device.However, future research needs to build upon our progress in order to make the quantum computations on real devices stable for a much larger portion than 100 random fixed data samples, being just a very small fraction of the entire IEEE Botnet DGA Dataset.The enlargement of stability may also be pursued in the case of quantum simulations, as we only used a random fixed sample size of 1000 in the usual HQBC case and a random fixed sample size in the QHTC case when conducting real-device-based simulations.
Moreover, we left the implementation of additional coding routines in order to enforce all specific real quantum devices or real-device-based simulators in the case of the quantum-enhanced version as well as the original version of the Hoeffding tree algorithm for future investigations.In addition, the determination of a distance metric for QHTC that allows reordering of feature columns is left for future research.Our focus of this study in this regard was to show the excellent properties of these HQBCs for the DGA botnet classification problem in which we succeeded.
For future research, we also suggest investing more into PegasosQSVC because if we combine quantum supervised learning with rewarding and quantum reinforcement learning, we may have groundbreaking www.nature.com/scientificreports/cybersecurity tools.Because current NISQ and hybrid models can support up to 5600 qubits, perhaps we don't have a 5600 network feature in cyber data.Resulting from that, even in this NISQ period, we can probably make strong cyber use cases for existing quantum computers and HQML.Furthermore, it is an open question as to what practical problem of which scientific fields the same approach of quantum-enhanced Hoeffding tree algorithms might apply as well.The UMUDGA dataset may be a next suitable choice for the DGA botnet detection field.We elaborated on a number of features of the IEEE Botnet DGA Dataset in order to give researchers from other fields a good starting point for their investigations.

3 .
Issues in the communication between real quantum devices and notebooks (a) Authentication and session failures.4. Issues with the Jupyter Notebook on the client side (a) Termination after a maximum of 24 h, regardless of CPU or RAM power. 5. Issues related to different real devices (a) Deprecated application programming interfaces (API)s of Qiskit.6. Issues stemming from the nature of the algorithm (a) Excessive number of loops.(b) Lack of code portability.(c) Inadequate exception handling.

( 8 )
Collect all the results and accumulate the final output.(9) Save and update the classification algorithm.(10) Integrate the classification algorithm with Azure Sentinel.

Figure 1 .
Figure 1.Stabilized architecture of experiments on real quantum devices comprising of three components Google Cloud, Azure and Azure Quantum Providers.

Figure 2 .
Figure 2. Stabilized architecture for QHTC experiments on quantum simulators Aer and Rigetti-S.The difference in implementation originates from differences in library functionalities available on Aer and Rigetti-S.

Figure 3 .
Figure 3. Quantum-enhanced SIEM: The individual steps are marked with numbers in red circles and are explained in List 2.

Figure 4 .
Figure 4. PegasosQSVC's accuracy on quantum simulator AER with (a) a batch size of 100 data samples does not improve its accuracy with an increased number of batches, unlike with (b) a batch size of 1000 data samples. https://doi.org/10.1038/s41598-024-51941-8

Table 2 .
14lected descriptive statistics of the IEEE Botnet DGA Dataset14for the seven features according to the Anderson-Darling normality test.

Table 3 .
Steps taken to address the instabilities and the resulting influence on the instability number as displayed in List 1.

Table 4 .
Performance results in terms of accuracy and total execution time T total of real quantum devices, using 100 data samples for all runs.For each algorithm and platform, the choice of the optimizer is also shown.The choice of feature map is ZFeatureMap for all experiments.